fix(automerge): keep check green for non-genuine dependabot PRs#476
Merged
Conversation
Soft-fail the fetch-metadata step so unverified dependabot PRs no longer show a red check in the PR overview. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0x46616c6b
approved these changes
Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Added
continue-on-error: trueto theLoad dependabot metadatastep intemplate_automerge_dependabot.yml.Why needed
The job runs whenever the PR author login is
dependabot[bot]. Ifdependabot/fetch-metadatacan't verify the commit signature (rebased or otherwise non-genuine dependabot PR), it callssetFailedand the whole job goes red, showing a failing check in the PR overview even though nothing needed merging. Example: patroni-selfheal run.Why safe
When the step soft-fails it produces no outputs. The merge step's
ifrequiressteps.metadata.outputs.update-typeto equal a real value (version-update:semver-*); an empty value matches nothing, so the merge step is skipped. Outputs come only from the action, so a PR can't spoof them. Genuine dependabot PRs still merge exactly as before; everything else no-ops to a green check.How to review
Confirm the merge step still gates on a concrete
update-type, and that no step runs after it (it's the last step, so a skip ends the job green).